Why it is not possible to have two CloudFront distributions with the same alternate domain name, if they are not used simultaneously

It would be much better to do this with a single distribution - this is a fairly common requirement from customers and you can implement it using custom error pages in CloudFront, along with AWS WAF.

To implement this:

1. Create the maintenance page in an S3 bucket as you originally intended
2. Create a new Origin in your CloudFront distribution that points to the S3 Bucket. Use OAI/OAC as required.
3. Create a new Behavior in your CloudFront distribution with the S3 Bucket as the origin. Use a path that's not currently part of your application, etc /errors
4. Configure Custom Errors for your distribution so that your maintenance page is served in the case of a 403 error. Add other error codes if you wish.
5. Configure an AWS WAF WebACL and attach it to your CloudFront distibution. If you already have a WebACL attached, you can simply modify that one.
6. Create a new custom rule in AWS WAF and place it at the top of the WebACL. The rule should match all traffic - but you may want to add an exception for your own IP address(es) so that you won't receive the maintenance page. Make sure the rule action is set to COUNT
7. When you want to invoke the maintenance page, simply change the rule action to BLOCK - this will cause a 403 error to be returned to all of your viewers. The error will be handled by CloudFront, which will display your maintenance page. When you want to return the application back to service, simply switch the rule action back to COUNT
8. If you wish, you could use a Lambda function to toggle the rule action. You can then trigger the Lambda function in a variety of ways to suit your use case.